Fix elasticache issue and bump version (#224)

* Fix elasticache issue and bump version

* Fix tests due to AWS changes

Author: kmcquade

CHANGELOG.md

@@ -1,5 +1,8 @@
 # Changelog
 
+## 0.8.7 (2020-09-06)
+* Fixes elasticache query issue #223
+
 ## 0.8.6 (2020-09-05)
 * Fix issue with ARN matching (#215)
 * Fixed issue where query command was not leveraging local database (#220)

docs/contributing/iam-database.md

@@ -67,8 +67,6 @@ Keys pages per-service to the `policy_sentry/shared/data/docs` folder.
 
 -   The HTML files will be stored in
     `policy_sentry/shared/data/docs/list_*.html`
--   It also add a file titled `policy_sentry/shared/data/links.yml` as
-    well.
 -   It also builds a JSON file that serves as the IAM data source to include as part of the PyPi
     package.
 
@@ -82,8 +80,7 @@ python3 ./utils/download_docs.py
 ```
 
 This downloads the Actions, Resources, and Condition Keys pages
-per-service to the `policy_sentry/shared/data/docs` folder. It also add
-a file titled `policy_sentry/shared/data/links.yml` as well.
+per-service to the `policy_sentry/shared/data/docs` folder.
 
 When a user runs `policy_sentry initialize`, these files are copied over
 to the config folder (`~/.policy_sentry/`).

examples/yml/crud-with-override.yml

@@ -4,7 +4,7 @@ permissions-management:
 - arn:aws:s3:::example-org-s3-access-logs
 wildcard-only:
     single-actions:
-    - secretsmanager:CreateSecret
+    - ram:getresourcepolicies
 skip-resource-constraints:
 - ssm:GetParameter
 - ssm:GetParameters

examples/yml/crud-with-wildcard-service-level.yml

@@ -6,7 +6,6 @@ wildcard-only:
     single-actions:
     - ram:enablesharingwithawsorganization
     - ram:getresourcepolicies
-    - secretsmanager:createsecret
     service-read:
     - ecr # GetAuthorizationToken
     - s3 # GetAccessPoint, GetAccountPublicAccessBlock, ListAccessPoints

examples/yml/crud-with-wildcard.yml

@@ -6,5 +6,4 @@ wildcard-only:
     single-actions:
     - ram:enablesharingwithawsorganization
     - ram:getresourcepolicies
-    - secretsmanager:createsecret
     - secretsmanager:putsecretvalue # attempting bypass

policy_sentry/bin/cli.py

@@ -2,7 +2,7 @@
 """
     Policy Sentry is a tool for generating least-privilege IAM Policies.
 """
-__version__ = "0.8.6"
+__version__ = "0.8.7"
 import click
 from policy_sentry import command
 

policy_sentry/command/initialize.py

@@ -93,13 +93,11 @@ def initialize(access_level_overrides_file=None, fetch=False, build=False):
         shutil.copy(BUNDLED_DATASTORE_FILE_PATH, database_path)
 
     # --fetch: wget the AWS IAM Actions, Resources and Condition Keys pages and store them locally.
-    # if --build and --fetch are both supplied, just do --fetch
     if fetch:
         # `wget` the html docs to the local directory
         update_html_docs_directory(LOCAL_HTML_DIRECTORY_PATH)
-        create_database(CONFIG_DIRECTORY, overrides_file)
 
-    # initialize --build
+    # --build
     if build or access_level_overrides_file or fetch:
         create_database(CONFIG_DIRECTORY, overrides_file)
         print("Created the database!")
@@ -135,7 +133,6 @@ def create_policy_sentry_config_directory():
 def create_html_docs_directory():
     """
     Copies the HTML files from the pip package over to its own folder in the CONFIG_DIRECTORY.
-    Also copies over the links.yml file, which is a mapping of services and relevant HTML links in the AWS docs.
     Essentially:
     mkdir -p ~/.policy_sentry/data/docs
     cp -r $MODULE_DIR/policy_sentry/shared/data/docs ~/.policy_sentry/data/docs

policy_sentry/command/query.py

@@ -1,6 +1,7 @@
 """
 Allow users to use specific pre-compiled queries against the action, arn, and condition tables from command line.
 """
+import os
 import json
 import logging
 import click
@@ -25,9 +26,11 @@
     get_condition_keys_for_service,
     get_condition_key_details,
 )
+from policy_sentry.shared.constants import DATASTORE_FILE_PATH, LOCAL_DATASTORE_FILE_PATH
 
 logger = logging.getLogger(__name__)
 click_log.basic_config(logger)
+iam_definition_path = DATASTORE_FILE_PATH
 
 
 @click.group()
@@ -84,7 +87,13 @@ def action_table(name, service, access_level, condition, wildcard_only, fmt):
 def query_action_table(
     name, service, access_level, condition, wildcard_only, fmt="json"
 ):
-    """Query the Action Table from the Policy Sentry database. Use this one when leveraging Policy Sentry as a library."""
+    """Query the Action Table from the Policy Sentry database.
+    Use this one when leveraging Policy Sentry as a library."""
+    if os.path.exists(LOCAL_DATASTORE_FILE_PATH):
+        logger.info(f"Using the Local IAM definition: {LOCAL_DATASTORE_FILE_PATH}. To leverage the bundled definition instead, remove the folder $HOME/.policy_sentry/")
+    else:
+        # Otherwise, leverage the datastore inside the python package
+        logger.debug("Leveraging the bundled IAM Definition.")
     # Actions on all services
     if service == "all":
         all_services = get_all_service_prefixes()
@@ -191,6 +200,11 @@ def arn_table(name, service, list_arn_types, fmt="json"):
 
 def query_arn_table(name, service, list_arn_types, fmt):
     """Query the ARN Table from the Policy Sentry database. Use this one when leveraging Policy Sentry as a library."""
+    if os.path.exists(LOCAL_DATASTORE_FILE_PATH):
+        logger.info(f"Using the Local IAM definition: {LOCAL_DATASTORE_FILE_PATH}. To leverage the bundled definition instead, remove the folder $HOME/.policy_sentry/")
+    else:
+        # Otherwise, leverage the datastore inside the python package
+        logger.debug("Leveraging the bundled IAM Definition.")
     # Get a list of all RAW ARN formats available through the service.
     if name is None and list_arn_types is False:
         output = get_raw_arns_for_service(service)
@@ -236,7 +250,13 @@ def condition_table(name, service, fmt):
 
 
 def query_condition_table(name, service, fmt="json"):
-    """Query the condition table from the Policy Sentry database. Use this one when leveraging Policy Sentry as a library."""
+    """Query the condition table from the Policy Sentry database.
+    Use this one when leveraging Policy Sentry as a library."""
+    if os.path.exists(LOCAL_DATASTORE_FILE_PATH):
+        logger.info(f"Using the Local IAM definition: {LOCAL_DATASTORE_FILE_PATH}. To leverage the bundled definition instead, remove the folder $HOME/.policy_sentry/")
+    else:
+        # Otherwise, leverage the datastore inside the python package
+        logger.debug("Leveraging the bundled IAM Definition.")
     # Get a list of all condition keys available to the service
     if name is None:
         output = get_condition_keys_for_service(service)

policy_sentry/shared/awsdocs.py

@@ -151,11 +151,14 @@ def create_database(destination_directory, access_level_overrides_file):
     schema = []
 
     # for filename in ['list_amazonathena.partial.html']:
-    for filename in [
-        f
-        for f in os.listdir(BUNDLED_HTML_DIRECTORY_PATH)
-        if os.path.isfile(os.path.join(BUNDLED_HTML_DIRECTORY_PATH, f))
-    ]:
+    file_list = []
+    for filename in os.listdir(BUNDLED_HTML_DIRECTORY_PATH):
+        if os.path.isfile(os.path.join(BUNDLED_HTML_DIRECTORY_PATH, filename)):
+            if filename not in file_list:
+                file_list.append(filename)
+
+    file_list.sort()
+    for filename in file_list:
         if not filename.startswith("list_"):
             continue
 
@@ -316,9 +319,8 @@ def create_database(destination_directory, access_level_overrides_file):
 
             # Get resource table
             for table in tables:
-                if "<th> Resource Types </th>" not in [
-                    chomp(str(x)) for x in table.find_all("th")
-                ]:
+                header_cells = [chomp(str(x)) for x in table.find_all("th")]
+                if "<th> Resource Types </th>" not in header_cells:
                     continue
 
                 rows = table.find_all("tr")

policy_sentry/shared/constants.py

@@ -30,9 +30,8 @@
 # Check for the existence of the local datastore first.
 if os.path.exists(LOCAL_DATASTORE_FILE_PATH):
     # If it exists, leverage that datastore instead of the one bundled with the python package
-    logger.info(f"The IAM definition at {LOCAL_DATASTORE_FILE_PATH} exists. "
-                f"Leveraging that IAM definition instead of the definition bundled with the python package. "
-                f"To leverage the bundled definition, remove the folder $HOME/.policy_sentry/")
+    logger.info(f"Leveraging the local IAM definition at the path: {LOCAL_DATASTORE_FILE_PATH} "
+                f"To leverage the bundled definition instead, remove the folder $HOME/.policy_sentry/")
     DATASTORE_FILE_PATH = LOCAL_DATASTORE_FILE_PATH
 else:
     # Otherwise, leverage the datastore inside the python package

policy_sentry/shared/data/docs/list_amazonathena.html

@@ -216,7 +216,7 @@ <h2 id="amazonathena-actions-as-permissions">
            </p>
            <div class="table-container">
             <div class="table-contents">
-             <table id="w468aac34c14c29c75c11b9">
+             <table id="w468aac33c14c29c75c11b9">
               <thead>
                <tr>
                 <th>
@@ -1116,7 +1116,7 @@ <h2 id="amazonathena-resources-for-iam-policies">
            </p>
            <div class="table-container">
             <div class="table-contents">
-             <table id="w468aac34c14c29c75c13b5">
+             <table id="w468aac33c14c29c75c13b5">
               <thead>
                <tr>
                 <th>
@@ -1236,7 +1236,7 @@ <h2 id="amazonathena-policy-keys">
            </p>
            <div class="table-container">
             <div class="table-contents">
-             <table id="w468aac34c14c29c75c15b7">
+             <table id="w468aac33c14c29c75c15b7">
               <thead>
                <tr>
                 <th>

policy_sentry/shared/data/docs/list_amazonchime.html

@@ -784,6 +784,38 @@ <h2 id="amazonchime-actions-as-permissions">
                <td>
                </td>
               </tr>
+              <tr>
+               <td>
+                <a id="amazonchime-CreateMeetingWithAttendees">
+                </a>
+                <a href="https://docs.aws.amazon.com/chime/latest/APIReference/API_CreateMeetingWithAttendees.html">
+                 CreateMeetingWithAttendees
+                </a>
+               </td>
+               <td>
+                Grants permission to create a new Amazon Chime SDK meeting in the specified media
+                                                Region, with a set of attendees
+               </td>
+               <td>
+                Write
+               </td>
+               <td>
+               </td>
+               <td>
+                <p>
+                 <a href="#amazonchime-aws_RequestTag___TagKey_">
+                  aws:RequestTag/${TagKey}
+                 </a>
+                </p>
+                <p>
+                 <a href="#amazonchime-aws_TagKeys">
+                  aws:TagKeys
+                 </a>
+                </p>
+               </td>
+               <td>
+               </td>
+              </tr>
               <tr>
                <td>
                 <a id="amazonchime-CreatePhoneNumberOrder">

policy_sentry/shared/data/docs/list_amazoncloudwatch.html

@@ -216,7 +216,7 @@ <h2 id="amazoncloudwatch-actions-as-permissions">
            </p>
            <div class="table-container">
             <div class="table-contents">
-             <table id="w468aac34c14c29d158c11b9">
+             <table id="w468aac33c14c29d158c11b9">
               <thead>
                <tr>
                 <th>
@@ -1216,7 +1216,7 @@ <h2 id="amazoncloudwatch-resources-for-iam-policies">
            </p>
            <div class="table-container">
             <div class="table-contents">
-             <table id="w468aac34c14c29d158c13b5">
+             <table id="w468aac33c14c29d158c13b5">
               <thead>
                <tr>
                 <th>
@@ -1364,7 +1364,7 @@ <h2 id="amazoncloudwatch-policy-keys">
            </p>
            <div class="table-container">
             <div class="table-contents">
-             <table id="w468aac34c14c29d158c15b7">
+             <table id="w468aac33c14c29d158c15b7">
               <thead>
                <tr>
                 <th>

policy_sentry/shared/data/docs/list_amazoncloudwatchsynthetics.html

@@ -216,7 +216,7 @@ <h2 id="amazoncloudwatchsynthetics-actions-as-permissions">
            </p>
            <div class="table-container">
             <div class="table-contents">
-             <table id="w468aac34c14c29d170c11b9">
+             <table id="w468aac33c14c29d170c11b9">
               <thead>
                <tr>
                 <th>
@@ -537,7 +537,7 @@ <h2 id="amazoncloudwatchsynthetics-resources-for-iam-policies">
            </p>
            <div class="table-container">
             <div class="table-contents">
-             <table id="w468aac34c14c29d170c13b5">
+             <table id="w468aac33c14c29d170c13b5">
               <thead>
                <tr>
                 <th>

policy_sentry/shared/data/docs/list_amazoncodeguru.html

@@ -216,7 +216,7 @@ <h2 id="amazoncodeguru-actions-as-permissions">
            </p>
            <div class="table-container">
             <div class="table-contents">
-             <table id="w468aac34c14c29d194c11b9">
+             <table id="w468aac33c14c29d194c11b9">
               <thead>
                <tr>
                 <th>

policy_sentry/shared/data/docs/list_amazoncodegurureviewer.html

@@ -216,7 +216,7 @@ <h2 id="amazoncodegurureviewer-actions-as-permissions">
            </p>
            <div class="table-container">
             <div class="table-contents">
-             <table id="w468aac34c14c29d202c11b9">
+             <table id="w468aac33c14c29d202c11b9">
               <thead>
                <tr>
                 <th>
@@ -576,7 +576,7 @@ <h2 id="amazoncodegurureviewer-resources-for-iam-policies">
            </p>
            <div class="table-container">
             <div class="table-contents">
-             <table id="w468aac34c14c29d202c13b5">
+             <table id="w468aac33c14c29d202c13b5">
               <thead>
                <tr>
                 <th>
@@ -708,7 +708,7 @@ <h2 id="amazoncodegurureviewer-policy-keys">
            </p>
            <div class="table-container">
             <div class="table-contents">
-             <table id="w468aac34c14c29d202c15b7">
+             <table id="w468aac33c14c29d202c15b7">
               <thead>
                <tr>
                 <th>

policy_sentry/shared/data/docs/list_amazoncomprehend.html

@@ -216,7 +216,7 @@ <h2 id="amazoncomprehend-actions-as-permissions">
            </p>
            <div class="table-container">
             <div class="table-contents">
-             <table id="w468aac34c14c29d234c11b9">
+             <table id="w468aac33c14c29d234c11b9">
               <thead>
                <tr>
                 <th>
@@ -1670,7 +1670,7 @@ <h2 id="amazoncomprehend-resources-for-iam-policies">
            </p>
            <div class="table-container">
             <div class="table-contents">
-             <table id="w468aac34c14c29d234c13b5">
+             <table id="w468aac33c14c29d234c13b5">
               <thead>
                <tr>
                 <th>
@@ -1856,7 +1856,7 @@ <h2 id="amazoncomprehend-policy-keys">
            </p>
            <div class="table-container">
             <div class="table-contents">
-             <table id="w468aac34c14c29d234c15b7">
+             <table id="w468aac33c14c29d234c15b7">
               <thead>
                <tr>
                 <th>

policy_sentry/shared/data/docs/list_amazondynamodb.html

@@ -216,7 +216,7 @@ <h2 id="amazondynamodb-actions-as-permissions">
            </p>
            <div class="table-container">
             <div class="table-contents">
-             <table id="w468aac34c14c29d318c11b9">
+             <table id="w468aac33c14c29d318c11b9">
               <thead>
                <tr>
                 <th>
@@ -1850,7 +1850,7 @@ <h2 id="amazondynamodb-resources-for-iam-policies">
            </p>
            <div class="table-container">
             <div class="table-contents">
-             <table id="w468aac34c14c29d318c13b5">
+             <table id="w468aac33c14c29d318c13b5">
               <thead>
                <tr>
                 <th>
@@ -2087,7 +2087,7 @@ <h2 id="amazondynamodb-policy-keys">
            </div>
            <div class="table-container">
             <div class="table-contents">
-             <table id="w468aac34c14c29d318c15b9">
+             <table id="w468aac33c14c29d318c15b9">
               <thead>
                <tr>
                 <th>